Google Preps Fix For iOS Authenticator Wipe

Google Authenticator users: If you recently upgraded to the latest version of the iOS app, don't use it.

That warning was sounded by information security experts after reports surfaced that the latest version of Google's two-factor authentication app for the iPhone, iPad and iPod Touch was inadvertently deleting all related multi-factor authentication (MFA) tokens stored on a device.

Apple removed the Google Authenticator app Wednesday from its Apple Store. The latest version included user interface improvements for iPhone 5 and devices with a Retina Display.

Google's Authenticator app is designed to allow people to log into Google, as well as some external websites -- including Amazon Web Services, Evernote and GitHub -- by using a cryptographically generated code. Every time a user authorizes a device to connect to Google or another compatible service, an MFA token is generated for that particular site, stored on the iOS device, and subsequently used to generate an on-demand login code, which changes every 30 seconds. If the MFA token gets deleted, however, then Google Authenticator can no longer generate a valid code for the site. That's a problem for users who have designated that they only want to allow access to their account using two-factor authentication.

Via email, a Google spokesman confirmed the iOS app token-deleting problem. "We're aware of this issue and are working to release an updated version as soon as possible," he said. But the spokesman declined to respond to a query about whether Google might be able to restore deleted tokens.

"What a pain," said Graham Cluley, an independent security researcher, in a blog post. "Did Google do no quality assurance on this update?"

The first signs of Google Authenticator trouble came early Wednesday. In short order, Amazon Web Services issued a related warning to all customers who use "Google Authenticator for iOS as a multi-factor authentication device to secure your AWS account via AWS MFA," referring to the AWS multi-factor authentication login option.

"Google has recently released an update to the Google Authenticator App in the iOS Store. We've received reports indicating this update is inadvertently deleting all MFA tokens from the smartphone," according to AWS. "This could prevent you from authenticating to your AWS account. At this point, it is our recommendation that you do not update your Google Authenticator App if you're using an iOS device."

Amazon recommended that any AWS users who already updated Authenticator and were no longer able to access their AWS account contact Amazon customer support.

On Hacker News, some iOS 7 beta testers reported that a new feature of the updated operating system is set -- by default -- to automatically update all installed apps. The feature had duly updated the beta testers' version of Google Authenticator to the latest version, thus deleting their existing MFA tokens.

The latest site to allow users to tap Google Authenticator for two-factor authentication is software development hub GitHub, which Tuesday announced the new capability. As part of the two-factor authentication opt-in process, the site said that any users who no longer had access to their registered authentication app -- for example, if their device got stolen -- could use SMS codes or one-time, downloadable recovery codes.

But not all sites that allow users to employ Google Authenticator tokens appear to have been similarly prepared for this type of outage. "This is especially bad for mtgox as it does not have backup codes or cellphone backup," said one Hacker News commenter, referring to Mt.gox, which is the world's largest Bitcoin exchange.

This isn't the first time that an upgraded version of Google Authenticator has wiped existing tokens. In March 2012, for example, Android Police reported that an upgrade for the Android version of Google Authenticator -- taking it to version 2 -- would delete old tokens, unless users ran version 2 before uninstalling version 1. If so, then they'd be presented with an opportunity to migrate their old tokens to the new version of the app.

The site said that "the only explanation" for Google creating a version of the app that wasn't compatible with the old one was if "someone at Google messed up and misplaced the password to the signing key, which forced them to generate a new key and made updates impossible," or else if the signing key password had been compromised.

Learn more about authentication by attending the Interop conference track on Risk Management and Security in New York from Sept. 30 to Oct. 4.